b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Employees Continue to Be Susceptible to\n                  Social Engineering Attempts That Could Be\n                               Used by Hackers\n\n\n\n                                           July 20, 2007\n\n                              Reference Number: 2007-20-107\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                 July 20, 2007\n\n\n MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Employees Continue to Be Susceptible to Social\n                              Engineering Attempts That Could Be Used by Hackers\n                              (Audit # 200720029)\n\n This report presents the results of our review to evaluate the susceptibility of Internal Revenue\n Service (IRS) employees to social engineering1 attempts that could be used by hackers to gain\n access to IRS systems. This review is part of our statutory requirements to annually review the\n adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n The IRS has nearly 100,000 employees and contractors who have access to tax return\n information processed on approximately 240 computer systems and over 1,500 databases. Using\n social engineering tactics, we determined IRS employees, including managers, are not complying\n with the rudimentary computer security practices of protecting their passwords. As a result, the\n IRS is at risk of providing unauthorized persons access to taxpayer data that could be used for\n identity theft and other fraudulent schemes.\n\n Synopsis\n We made 102 telephone calls to IRS employees, including managers and a contractor, and posed\n as computer support helpdesk representatives. Under this scenario, we asked for each\n employee\xe2\x80\x99s assistance to correct a computer problem and requested that the employee provide\n his or her username and temporarily change his or her password to one we suggested. We were\n\n 1\n  A method used to circumvent existing computer security controls by exploiting the human element to obtain\n sensitive information that can be used to access computer resources and data.\n\x0c                   Employees Continue to Be Susceptible to Social Engineering\n                           Attempts That Could Be Used by Hackers\n\n\n\nable to convince 61 (60 percent) of the 102 employees to comply with our requests. As part of\nthe audit, we also evaluated whether employees contacted appropriate offices to report or\nvalidate our test calls. Only 8 of the 102 employees in our sample contacted either the audit\nteam, the Treasury Inspector General for Tax Administration Office of Investigations, or the IRS\ncomputer security organization to validate our test as being part of an official Treasury Inspector\nGeneral for Tax Administration audit.\nThe above conditions were particularly alarming because we had conducted similar social\nengineering test telephone calls in August 2001 and December 2004.2 Our 2001 and 2004 test\ncalls yielded 71 percent and 35 percent noncompliance rates, respectively. In response to these\ntwo prior audits, the IRS took corrective actions to raise awareness of password protection\nrequirements and social engineering attempts. However, the corrective actions have not been\neffective. Based on the results of this audit, we conclude employees either do not fully\nunderstand security requirements for password protection or do not place a sufficiently high\npriority on protecting taxpayer data in their day-to-day work. To better understand employee\nbehavior, we asked the employees in our sample why they did not comply with IRS password\nsecurity requirements. Some of the notable reasons given were that the employee thought the\nscenario sounded legitimate and believable, did not think changing his or her password was the\nsame as disclosing the password, or had experienced past computer problems.\nWhen employees are susceptible to social engineering attempts, the IRS is at risk of providing\nunauthorized persons access to computer resources and taxpayer data. In addition, when\nattempts at social engineering are not reported to appropriate personnel, the IRS cannot\ninvestigate incidents and take action to minimize the effect of a security breach.\n\nRecommendations\nThe Chief, Mission Assurance and Security Services, should continue security awareness\nactivities to remind employees of the potential for social engineering attempts and the need to\nreport these incidents to the IRS computer security organization, conduct internal social\nengineering tests on a periodic basis to increase employees\xe2\x80\x99 security awareness and the need to\nprotect usernames and passwords, and coordinate with business units to emphasize the need to\ndiscipline employees for security violations resulting from negligence or carelessness.\n\n\n\n\n2\n Management Advisory Report: Network Penetration Study of Internal Revenue Service Systems (Reference\nNumber 2002-20-057, dated March 2002) and While Progress Has Been Made, Managers and Employees Are Still\nSusceptible to Social Engineering Techniques (Reference Number 2005-20-042, dated March 2005).\n                                                                                                           2\n\x0c                 Employees Continue to Be Susceptible to Social Engineering\n                         Attempts That Could Be Used by Hackers\n\n\n\n\nResponse\nIRS management agreed with our recommendations. The Mission Assurance and Security\nServices organization will continue to deliver social engineering messages and use results from a\nsocial engineering survey to remind employees of the potential for social engineering attempts\nand the need to report these incidents to the IRS Computer Security Incident Response Center.\nAlso, the Mission Assurance and Security Services organization will conduct at least one internal\nsocial engineering test during Fiscal Year 2008 to increase employees\xe2\x80\x99 security awareness and\nthe need to protect usernames and passwords. The test will be robust and statistically diverse,\nsurveying thousands of IRS employees. The IRS will communicate the results of the tests to\nbusiness units to increase awareness. Additionally, a revised Penalty Guide has been developed\nand is currently being negotiated with the National Treasury Employees Union. When the Guide\nis published, the Mission Assurance and Security Services organization will emphasize to the\nbusiness units the need to implement the new guidance. Management\xe2\x80\x99s complete response to the\ndraft report is included as Appendix V.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                               3\n\x0c                        Employees Continue to Be Susceptible to Social Engineering\n                                Attempts That Could Be Used by Hackers\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Employees Continue to Struggle With Complying With the Basic\n          Security Requirements of Protecting Their Passwords and\n          Reporting Possible Security Incidents ..........................................................Page 3\n                    Recommendation 1:..........................................................Page 5\n\n                    Recommendations 2 and 3: ......................................................... Page 6\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 7\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 8\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 9\n          Appendix IV \xe2\x80\x93 Results From Test Calls .......................................................Page 10\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 13\n\x0c        Employees Continue to Be Susceptible to Social Engineering\n                Attempts That Could Be Used by Hackers\n\n\n\n\n                      Abbreviations\n\nIRS             Internal Revenue Service\nTIGTA           Treasury Inspector General for Tax Administration\n\x0c                    Employees Continue to Be Susceptible to Social Engineering\n                            Attempts That Could Be Used by Hackers\n\n\n\n\n                                          Background\n\nDuring an interview with the National Public Radio on April 7, 2007, regarding the Treasury\nInspector General for Tax Administration (TIGTA) audit report1 on the loss of computers\ncontaining sensitive taxpayer data, the Internal Revenue Service (IRS) Commissioner stated,\n\xe2\x80\x9cEvery day, there are attempts to get into our databases, and there has never been a penetration\nof the IRS databases from the outside.\xe2\x80\x9d In recent years, TIGTA Office of Audit penetration tests\nhave confirmed that the IRS has secured its computer network perimeters from external cyber\nthreats.\nAs more attacks are blocked at an organization\xe2\x80\x99s computer network perimeters, hackers have\nturned to alternative methods to break into computer systems and steal sensitive data. One\nmethod is social engineering, which is used to circumvent existing computer security controls by\nexploiting the human element to obtain sensitive information that can be used to access computer\nresources and data. A typical social engineering tactic involves a hacker posing as an internal\nemployee, such as a computer support person, and calling employees to convince them to share\ncritical information about (1) the organization, computer system, or infrastructure or\n(2) their usernames and passwords.\nWe have previously conducted two tests to evaluate employee susceptibility to social\nengineering attempts. In August 2001, we found 71 of 100 employees were willing to provide us\nwith their usernames and change their passwords to one we suggested.2 In December 2004, we\nused the same methodology and found a 50 percent improvement, with only 35 of\n100 employees willing to provide their usernames and change their passwords.3 From both\naudits, we made recommendations to improve employee training on social engineering attempts\nand issue periodic awareness publications on the dangers of social engineering.\nExposing sensitive data unnecessarily can lead to potential identity theft and/or other fraudulent\nschemes. Identity theft refers to a crime in which someone wrongfully obtains and uses another\nperson\xe2\x80\x99s personal data in some way that involves fraud or deception, typically for financial or\neconomic gain. According to the Federal Bureau of Investigation, identity theft is one of the\nfastest growing white-collar crimes in the United States. The Department of Commerce\nestimates that more than 50 million identities were compromised in Calendar Year 2005. The\n\n\n1\n  The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other\nElectronic Media Devices (Reference Number 2007-20-048, dated March 23, 2007).\n2\n  Management Advisory Report: Network Penetration Study of Internal Revenue Service Systems (Reference\nNumber 2002-20-057, dated March 2002).\n3\n  While Progress Has Been Made, Managers and Employees Are Still Susceptible to Social Engineering Techniques\n(Reference Number 2005-20-042, dated March 2005).\n                                                                                                      Page 1\n\x0c                  Employees Continue to Be Susceptible to Social Engineering\n                          Attempts That Could Be Used by Hackers\n\n\n\nchallenges for the IRS in protecting against identity theft are the amount and sensitivity of the\ninformation it processes and the sheer size of the organization, which employs nearly\n100,000 employees and contractors who have access to tax return information processed on\napproximately 240 computer systems and over 1,500 databases.\nThis review is part of our statutory requirements to annually review the adequacy and security of\nIRS technology. We also recognized the enormous and political risk of exposing sensitive\ntaxpayer information, educating employees on protecting taxpayer data, and following up to\nensure security solutions are working as intended. This review was performed from our office in\nWalnut Creek, California, and in the Office of Mission Assurance and Security Services in\nLanham, Maryland, during the period March through April 2007. The audit was conducted in\naccordance with Government Auditing Standards. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                             Page 2\n\x0c                 Employees Continue to Be Susceptible to Social Engineering\n                         Attempts That Could Be Used by Hackers\n\n\n\n\n                                Results of Review\n\nEmployees Continue to Struggle With Complying With the Basic\nSecurity Requirements of Protecting Their Passwords and Reporting\nPossible Security Incidents\nPassword protection is one of the basic and rudimentary computer security practices for\norganizations, and the IRS has adequate password policies and procedures. Managers and\nemployees are not to reveal or share their passwords with anyone, regardless of his or her\nposition inside or outside of the IRS. This includes, but is not limited to, the employee\xe2\x80\x99s\nmanager, helpdesk staff, system administrators, and security personnel. Additionally, employees\nare not to accept passwords that are not delivered securely. Password protection allows the IRS\nto limit access to its computer resources and taxpayer data to persons who need it to accomplish\ntheir official duties. To support password security awareness, the IRS requires all managers and\nemployees to acknowledge these rules prior to obtaining access to any IRS computer systems\nand to annually recertify they are aware of their responsibilities.\nThe IRS has posted these requirements and password security policies on its internal web site.\nThe web site also has a document that describes social engineering and provides examples of\nsocial engineering attempts, specifically mentioning the use of telephone calls to conduct this\ntype of attack. The document uses an example of a caller pretending to be someone needing\nassistance and attempting to get the employee to reveal his or her logon information and change\nhis or her password to one the caller suggests.\nWhile these awareness efforts are notable, managers and employees continue to be susceptible to\nsocial engineering attempts. We made 102 telephone calls to employees, including managers\nand a contractor, and posed as Modernization and Information Technology Services organization\nhelpdesk personnel who were seeking assistance to correct a network problem. This is the same\nscenario we used in our prior two social engineering tests. Under this scenario, we asked each\nemployee to provide his or her username and temporarily change his or her password to one we\nsuggested. We were able to convince 61 (60 percent) of the 102 employees to comply with our\nrequests, even though doing so violated the IRS security policy and procedures. Appendix IV\nprovides further details about our sample and audit results.\nWe limited our sample to 102 employees because we had to make the telephone calls quickly\nbefore our tests were publicized throughout the IRS. Due to the sample size, we were unable to\nproject our results throughout the IRS. However, we believe our sample was sufficient to\ndemonstrate that IRS employees continue to be susceptible to social engineering attempts and\n\n\n                                                                                         Page 3\n\x0c                  Employees Continue to Be Susceptible to Social Engineering\n                          Attempts That Could Be Used by Hackers\n\n\n\nthat employees do not provide sufficient emphasis to the security of taxpayer data in their\nday-to-day activities.\nTo better understand employee behavior, after informing the employees and managers in our\nsample that the calls were part of a TIGTA social engineering audit, we asked them why they did\nnot comply with IRS password security requirements. The 61 noncompliant employees provided\nthe following reasons:\n    \xe2\x80\xa2   The scenario sounded legitimate and believable (21 employees).\n    \xe2\x80\xa2   The employee believed changing his or her password was not the same as disclosing the\n        password, which he or she knew was against the rules (10 employees).\n    \xe2\x80\xa2   The employee knew the rules but changed his or her password anyway (8 employees).\n    \xe2\x80\xa2   The employee was having or had previously had computer problems (7 employees).\n    \xe2\x80\xa2   The employee had a lack of training or did not know the rules to protect his or her\n        password (4 employees).\n    \xe2\x80\xa2   No reason was provided (11 employees).\nThe 41 employees who complied with the password security requirements provided the\nfollowing reasons for not providing their passwords:\n    \xe2\x80\xa2   Awareness training, email advisories, or group meetings reinforced the need for\n        protecting his or her username and/or password (20 employees).\n    \xe2\x80\xa2   The employee did not believe the scenario or could not verify the caller (17 employees).\n    \xe2\x80\xa2   No reason was cited (4 employees).\nAs part of this audit, we also evaluated whether IRS employees contacted appropriate personnel\nafter we had informed them the calls were part of a TIGTA audit and ended the calls. Potential\nsecurity breaches, including attempted and actual security breaches, should be forwarded to the\nIRS computer security organization for notification and further evaluation. Information on these\nincidents allows the computer security organization to minimize the impact of a security breach\nand determine whether the IRS is being attacked on various fronts or the incidents are isolated.\nThe IRS computer security organization received contact from only one IRS employee who\nreported that a call came from the TIGTA Office of Audit as part of the social engineering test\nand he or she was concerned about the test.\nIn addition, the following contacts were made by IRS employees:\n   \xe2\x80\xa2    The manager of the audit team received telephone calls from three employees to verify\n        the calls were part of an official TIGTA audit.\n\n\n                                                                                              Page 4\n\x0c                  Employees Continue to Be Susceptible to Social Engineering\n                          Attempts That Could Be Used by Hackers\n\n\n\n   \xe2\x80\xa2   The TIGTA Office of Investigations received contacts from four employees who had\n       been called as part of this test.\nThe IRS cannot react swiftly to thwart social engineering attempts and other potential security\nbreaches when employees do not notify appropriate authorities. While our calls were part of an\nofficial TIGTA audit, hackers could include a reference to a nonexistent TIGTA audit in an\nattempt to divert attention from their social engineering attempts, particularly if an employee\nquestions the call.\nThe above conditions were particularly alarming because we had conducted similar social\nengineering test telephone calls in August 2001 and December 2004. In the respective\nmanagement responses to those audits, the IRS stated it:\n   \xe2\x80\xa2   Would update its security awareness program to include training on computer intrusions\n       and unauthorized access and use existing media, such as the annual security training and\n       security awareness week, to communicate IRS security standards on password protection\n       procedures.\n   \xe2\x80\xa2   Had incorporated the topic of social engineering into its mandatory annual Online\n       Security Awareness Training, which included examples and scenarios of attempts used to\n       gain access to IRS systems. In addition, the IRS stated periodic reminders would be\n       issued in the forms of (1) all-employee notices that would be included with employees\xe2\x80\x99\n       Earnings and Leave statements and (2) articles in the computer security newsletter.\nThese corrective actions were completed but have not been effective. Based on our results, we\nconclude employees either do not fully understand security requirements for password protection\nor do not place a high priority on protecting taxpayer data in their day-to-day work.\nWhen employees are susceptible to social engineering attempts, the IRS is at risk of providing\nunauthorized persons access to computer resources and taxpayer data that could be used for\nidentity theft and other fraudulent purposes. In addition, when attempts at social engineering are\nnot reported to appropriate personnel, the IRS cannot investigate incidents and take action to\nminimize the effect of a security breach.\n\nRecommendations\nThe Chief, Mission Assurance and Security Services, should:\nRecommendation 1: Continue security awareness activities to remind employees of the\npotential for social engineering attempts and the need to report these incidents to the IRS\nComputer Security Incident Response Center in the Office of Mission Assurance and Security\nServices.\n       Management\xe2\x80\x99s Response: The Chief, Mission Assurance and Security Services,\n       agreed with our recommendation and will continue to deliver social engineering\n                                                                                           Page 5\n\x0c                 Employees Continue to Be Susceptible to Social Engineering\n                         Attempts That Could Be Used by Hackers\n\n\n\n       messages as specified in the 2007 Information Security Awareness Plan. In addition, the\n       Mission Assurance and Security Services organization has worked with the\n       Communications and Liaison organization to conduct a survey on social engineering to\n       assess the knowledge base of IRS personnel. The results of this survey are being used to\n       tailor future communications efforts to remind employees of the potential for social\n       engineering attempts and the need to report these incidents to the IRS Computer Security\n       Incident Response Center.\nRecommendation 2: Conduct internal social engineering tests on a periodic basis to increase\nemployees\xe2\x80\x99 security awareness and the need to protect usernames and passwords. The results of\nthese tests should be provided to all IRS employees.\n       Management\xe2\x80\x99s Response: The Chief, Mission Assurance and Security Services,\n       agreed with our recommendation and will conduct at least one internal social engineering\n       test during Fiscal Year 2008, using lessons learned from TIGTA tests, to increase\n       employees\xe2\x80\x99 security awareness and the need to protect usernames and passwords. The\n       test sample will be robust and statistically diverse, surveying thousands of IRS\n       employees. The results of these tests will be communicated to business units to increase\n       awareness.\nRecommendation 3: Coordinate with business units to emphasize the need to discipline\nemployees for security violations resulting from negligence or carelessness.\n       Management\xe2\x80\x99s Response: The Chief, Mission Assurance and Security Services,\n       agreed with our recommendation. A revised Penalty Guide has been developed and is\n       currently being negotiated with the National Treasury Employees Union. When the\n       Penalty Guide is published, the Mission Assurance and Security Services organization\n       will emphasize to the business units through various communications the need to\n       implement the new guidance.\n\n\n\n\n                                                                                         Page 6\n\x0c                    Employees Continue to Be Susceptible to Social Engineering\n                            Attempts That Could Be Used by Hackers\n\n\n\n                                                                                            Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the susceptibility of IRS employees to social\nengineering1 attempts that could be used by hackers to gain access to IRS systems. To\naccomplish this objective, we:\nI.      Evaluated the adequacy of IRS security policies and procedures that have been\n        established to guide employees in recognizing and handling social engineering attempts.\nII.     Informed the Deputy Commissioner for Services and Enforcement; the Deputy\n        Commissioner for Operations Support; the Chief, Mission Assurance and Security\n        Services; and the TIGTA Office of Investigations of our social engineering tests on the\n        day we made the telephone calls.\nIII.    Made telephone calls to IRS employees and managers posing as a Modernization and\n        Information Technology Services organization helpdesk employee.\n        A. Developed a scenario for social engineering attempts using telephone calls. We\n           decided to use a scenario similar to the one we had used during our previous tests in\n           2001 and 2004.\n        B. Judgmentally selected a sample of 102 IRS employees, including managers and a\n           contractor, from a population of 95,858 employees who were outside of the\n           Modernization and Information Technology Services and the Mission Assurance and\n           Security Services organizations as of January 19, 2007. We used a judgmental\n           sample because we were not projecting the audit results and needed to complete the\n           telephone calls before our test was publicized throughout the IRS.\n        C. Made 102 telephone calls in 1 day to the sample of employees.\nIV.     Reviewed the planned corrective actions from our two previous social engineering\n        reviews to determine whether the IRS\xe2\x80\x99 corrective actions had been implemented.2\n\n\n\n\n1\n  A method used to circumvent existing computer security controls by exploiting the human element to obtain\nsensitive information that can be used to access computer resources and data.\n2\n  Management Advisory Report: Network Penetration Study of Internal Revenue Service Systems (Reference\nNumber 2002-20-057, dated March 2002) and While Progress Has Been Made, Managers and Employees Are Still\nSusceptible to Social Engineering Techniques (Reference Number 2005-20-042, dated March 2005).\n                                                                                                     Page 7\n\x0c                 Employees Continue to Be Susceptible to Social Engineering\n                         Attempts That Could Be Used by Hackers\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nMidori Ohno, Lead Auditor\nRichard Borst, Senior Auditor\nCari Fogle, Senior Auditor\nMichael Garcia, Senior Auditor\nAllen Gray, Senior Auditor\nBret Hunter, Senior Auditor\nJody Kitazono, Senior Auditor\nLouis Lee, Senior Auditor\nAbraham Millado, Senior Auditor\nBeverly Tamanaha, Senior Auditor\nLouis Zullo, Senior Auditor\n\n\n\n\n                                                                                         Page 8\n\x0c                Employees Continue to Be Susceptible to Social Engineering\n                        Attempts That Could Be Used by Hackers\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                        Page 9\n\x0c                  Employees Continue to Be Susceptible to Social Engineering\n                          Attempts That Could Be Used by Hackers\n\n\n\n                                                                                             Appendix IV\n\n                             Results From Test Calls\n\nFor further perspective on our test results, we gathered additional information on the telephone\ncalls we made.\nFigure 1 presents our results from the 102 IRS employees in our sample by IRS business unit.\n                    Figure 1: Test Call Results by IRS Business Unit\n                                                            Number of          Changed\n                   Business Unit\n                                                            Employees          Password\n                   Agency-Wide Shared Services                     3                 2\n                   Communications and Liaison                      1                 0\n                   Criminal Investigation                          2                 1\n                   Human Capital Office                            4                 2\n                   Large and Mid-Size Business                     4                 4\n                   National Taxpayer Advocate                      7                 3\n                   Office of Appeals                               4                 2\n                   Office of Chief Counsel                         2                 0\n                   Small Business/Self-Employed                  27                15\n                   Tax Exempt and Government                       3                 2\n                   Entities\n                   Wage and Investment                           45                30\n                   TOTALS                                       102                61\n                  Source: TIGTA analysis of the IRS business units included in the audit test.\n\n\n\n\n                                                                                                  Page 10\n\x0c                       Employees Continue to Be Susceptible to Social Engineering\n                               Attempts That Could Be Used by Hackers\n\n\n\nFigure 2 presents our results by IRS locations of the 102 employees.\n                             Figure 2: Test Call Results by IRS Location\n\n                                                                         Number of       Changed\n               Location\n                                                                         Employees       Password\n\n               Western (California, Colorado, Nevada,\n                                                                              25           18\n               Oregon, Utah, Washington, Wyoming)\n               South (Florida, Georgia, Kentucky,                             41           22\n               Louisiana, Tennessee, and Texas)\n               Midwest (Indiana, Kansas, Michigan,                            15            7\n               Missouri, Ohio, South Dakota)\n               East (Connecticut, Delaware, Massachusetts,\n               Maryland, New Jersey, New York,                                21           14\n               Pennsylvania, Washington, D.C., and\n               West Virginia)\n               TOTALS                                                       102            61\n              Source: TIGTA analysis of the IRS locations included in the audit test.\n\nFigure 3 presents our results by employee and manager positions, based on the individual\xe2\x80\x99s job\ntitle. For example, job titles with the words supervisor, supervisory, manager, or branch chief\nwere considered managers.\n              Figure 3: Test Call Results by Employee and Manager Positions\n                                                           Number of         Changed\n                                   Position\n                                                           Employees         Password\n                                   Employees1                  79                  45\n                                   Managers                    23                  16\n                                   TOTALS                     102                  61\n                                  Source: TIGTA analysis of the IRS positions included\n                                  in the audit test.\n\n\n\n\n1\n    The total number of employees included a contractor.\n                                                                                                    Page 11\n\x0c\x0c    Employees Continue to Be Susceptible to Social Engineering\n            Attempts That Could Be Used by Hackers\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 13\n\x0cEmployees Continue to Be Susceptible to Social Engineering\n        Attempts That Could Be Used by Hackers\n\n\n\n\n                                                      Page 14\n\x0cEmployees Continue to Be Susceptible to Social Engineering\n        Attempts That Could Be Used by Hackers\n\n\n\n\n                                                      Page 15\n\x0cEmployees Continue to Be Susceptible to Social Engineering\n        Attempts That Could Be Used by Hackers\n\n\n\n\n                                                      Page 16\n\x0c'